{"id":16408,"date":"2025-01-22T16:14:11","date_gmt":"2025-01-22T13:14:11","guid":{"rendered":"https:\/\/oberig-it.com\/uncategorized\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/"},"modified":"2025-01-31T16:22:04","modified_gmt":"2025-01-31T13:22:04","slug":"web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines","status":"publish","type":"post","link":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/","title":{"rendered":"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines"},"content":{"rendered":"<p class=\"p1\"><span class=\"s1\"><i>Git, repositories and pipelines\u2026oh my!\u00a0<\/i>We unpack standard practices in the web app development process and provide guidance on how to use Tenable Web Application Scanning to secure your code.<\/span><\/p>\n<p class=\"p2\"><span class=\"s1\">Awesome! This should be easy. All you need to start is \u2026\u00a0<i>Wait\u2026 what&#8217;s a pipeline?<\/i><\/span><\/p>\n<p class=\"p2\"><span class=\"s1\">Well, let&#8217;s start there. Have you ever used a code repository to track code changes? Every time you make an update to the repository files\/code, you have to do what&#8217;s called a \u201cgit commit\u201d and \u201cgit push.\u201d Developers use Git as a foundation to run their CI\/CD pipelines.<\/span><\/p>\n<p class=\"p2\"><span class=\"s1\"><i>Wait \u2026 what&#8217;s Git, and what does CI\/CD mean?<\/i><\/span><\/p>\n<p class=\"p2\"><span class=\"s1\">To be clear, continuous integration and continuous deployment (CI\/CD) is a methodology \u2014 not a tool.<\/span><\/p>\n<p class=\"p2\"><span class=\"s1\">The \u201cD\u201d in CI\/CD is often referred to as \u201cdelivery\u201d instead of deployment. For the purposes of this blog post, since we are talking about the deployment side of it, I will use that here.<\/span><\/p>\n<p class=\"p2\"><span class=\"s1\">Before we get there, let\u2019s talk about version control. Time to roll back a few years. In 2005, Linus Torvalds, the creator of Linux, built something called \u201cGit,\u201d an open source version control software. Version control allows you to track and control all changes to a codebase.<\/span><\/p>\n<p class=\"p2\"><span class=\"s1\">These codebases, called repositories, are generally used for managing code that is the basis for any software or website that you can think of. Git is the most commonly used version control system while GitHub, now owned by Microsoft, is one of the cloud-based repository hosting platforms utilizing Git.<\/span><\/p>\n<p class=\"p2\"><span class=\"s1\">Developers have been using this great version control tool ever since, but every time they wanted to test their production applications\/software, they had to do the following:<\/span><\/p>\n<ol>\n<li><span class=\"s3\">Log on to a server<\/span><\/li>\n<li><span class=\"s3\">Pull code from a repository<\/span><\/li>\n<li><span class=\"s3\">Package code up in a nice zip-type file<\/span><\/li>\n<li><span class=\"s3\">Send that package to another server that was the staging\/testing environment<\/span><\/li>\n<li><span class=\"s3\">Run the application and confirm it still runs at all<\/span><\/li>\n<li><span class=\"s3\">Run any tests needed against it, such as allowing other developers to come in and poke at it to find broken parts of the application<\/span><\/li>\n<\/ol>\n<p class=\"p2\"><span class=\"s1\">The most efficient developers would make scripts to automate some or all of this work, but there was an even better way\u2026<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-16240 size-full\" src=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/ci-cd-pipelines_image2-1.png\" alt=\"Tenable WAS\" width=\"1200\" height=\"563\" srcset=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/ci-cd-pipelines_image2-1.png 1200w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/ci-cd-pipelines_image2-1-300x141.png 300w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/ci-cd-pipelines_image2-1-1024x480.png 1024w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/ci-cd-pipelines_image2-1-768x360.png 768w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/ci-cd-pipelines_image2-1-24x11.png 24w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/ci-cd-pipelines_image2-1-36x17.png 36w, https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/ci-cd-pipelines_image2-1-48x23.png 48w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/><\/p>\n<p class=\"p1\"><span class=\"s1\"><i>Source: Tenable, December 2024<\/i><\/span><\/p>\n<h4 class=\"p2\"><span class=\"s2\"><b>What is continuous integration?<\/b><\/span><\/h4>\n<p class=\"p3\"><span class=\"s2\">Integration here might not mean what it sounds like. It means that you are building your application and running tests on a schedule or every single time you make a change to your code. Think about how much time this can save. Instead of having to assign tasks out to a team of testers, those tests run every time you change the code. Can you imagine knowing about all of your issues right away?<\/span><\/p>\n<p class=\"p3\"><span class=\"s2\">On top of that, continuous integration automatically builds your application, so you don\u2019t have to package and run it yourself, letting you keep working on building.<\/span><\/p>\n<p class=\"p3\"><span class=\"s2\">For security pros, this is the spot in a pipeline where the dynamic application security testing (DAST) scanner \u2014 available in\u00a0<span class=\"s3\">Tenable Web Application Scanning<\/span>\u00a0\u2014 can help.<\/span><\/p>\n<p class=\"p3\"><span class=\"s2\">At Tenable, we want developers to know about security issues as soon as possible. For reference, this is where software composition analysis (SCA) and static application security testing (SAST) scanning also live. Those tools are used for looking at source code, whereas Tenable Web Application Scanning looks at a built application and scans it with real network requests.<\/span><\/p>\n<p class=\"p3\"><span class=\"s2\">Jenkins is considered the first main and widely adopted CI tool. Jenkins helped teams adopt this methodology. Some teams were already doing this with homegrown solutions. We have documentation on how to deploy the web app scanner in a Jenkins CI\/CD pipeline.<\/span><\/p>\n<h4 class=\"p2\"><span class=\"s2\"><b>What is continuous deployment?<\/b><\/span><\/h4>\n<p class=\"p3\"><span class=\"s2\">Deployment is when you take what you have built and push it out for real use. It\u2019s building an application for production use rather than just for quick testing. Back in the day, developers would log onto their servers and make updates to the applications on the fly. If something broke, well, you\u2019d better remember the changes you made and have fun spinning that back up.<\/span><\/p>\n<p class=\"p3\"><span class=\"s2\">Automated deployment allowed developers to run one script that would spin up an entire environment or application all in one go. Application falls down? No problem! Run the deployment and it can be back up soon.<\/span><\/p>\n<p class=\"p3\"><span class=\"s2\">Continuous deployment allows for changes to be made in the source code and for those to be automatically sent to production. No dev or IT team time is wasted in changing live servers.<\/span><\/p>\n<h4 class=\"p2\"><span class=\"s2\"><b>Wrapping it all up<\/b><\/span><\/h4>\n<p class=\"p3\"><span class=\"s2\">PHEW. Ok. A CI\/CD pipeline is where you combine version control (Git), continuous integration and continuous deployment. It allows teams to develop applications very quickly and not waste time. The pipeline is the ongoing stream of tests and automated actions that all happens based on code changes.<\/span><\/p>\n<p class=\"p3\"><span class=\"s2\">Over time, tools became better and more appeared, such as Bamboo and CircleCI and some others. GitHub Actions came out in 2015, allowing developers to automate software development workflows from within GitHub.<\/span><\/p>\n<p class=\"p3\"><span class=\"s2\">Tenable Web Application Scanning can scan any pipeline. It offers code examples for testing for various tools, but you can throw a test into any pipeline.<\/span><\/p>\n<p class=\"p3\"><span class=\"s2\">For more documentation on how to implement, see\u00a0<span style=\"color: #0000ff;\"><a style=\"color: #0000ff;\" href=\"https:\/\/docs.tenable.com\/web-app-scanning\/Content\/WAS\/GettingStarted\/Integrations\/CI-CD\/Overview.htm\" target=\"_blank\" rel=\"noopener\"><span class=\"s3\">Tenable\u2019s Documentation<\/span><\/a><\/span><\/span><\/p>\n<p><strong>Source:<\/strong>\u00a0<a href=\"https:\/\/www.tenable.com\/blog\/web-app-scanning-101-what-security-pros-need-to-know-about-cicd-pipelines\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #0000ff;\">Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines<\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Git, repositories and pipelines\u2026oh my!\u00a0We unpack standard practices in the web app development process and provide guidance on how to use Tenable Web Application Scanning to secure your code. Awesome! This should be easy. All you need to start is \u2026\u00a0Wait\u2026 what&#8217;s a pipeline? Well, let&#8217;s start there. Have you ever used a code repository [&hellip;]<\/p>\n","protected":false},"author":850,"featured_media":16228,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[142],"tags":[],"class_list":["post-16408","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u261d Oberig IT blog<\/title>\n<meta name=\"description\" content=\"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u26a1 Oberig IT blog for integrator partners, vendors and end customers\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u261d Oberig IT blog\" \/>\n<meta property=\"og:description\" content=\"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u26a1 Oberig IT blog for integrator partners, vendors and end customers\" \/>\n<meta property=\"og:url\" content=\"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/\" \/>\n<meta property=\"og:site_name\" content=\"Oberig IT\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Oberig.disti\" \/>\n<meta property=\"article:published_time\" content=\"2025-01-22T13:14:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-01-31T13:22:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/8.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1875\" \/>\n\t<meta property=\"og:image:height\" content=\"625\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Albekova Paula\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Albekova Paula\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u261d Oberig IT blog","description":"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u26a1 Oberig IT blog for integrator partners, vendors and end customers","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/","og_locale":"en_US","og_type":"article","og_title":"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u261d Oberig IT blog","og_description":"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u26a1 Oberig IT blog for integrator partners, vendors and end customers","og_url":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/","og_site_name":"Oberig IT","article_publisher":"https:\/\/www.facebook.com\/Oberig.disti","article_published_time":"2025-01-22T13:14:11+00:00","article_modified_time":"2025-01-31T13:22:04+00:00","og_image":[{"width":1875,"height":625,"url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/8.jpg","type":"image\/jpeg"}],"author":"Albekova Paula","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Albekova Paula","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/#article","isPartOf":{"@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/"},"author":{"name":"Albekova Paula","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/9d804f9c469169d256ca04bc0446793d"},"headline":"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines","datePublished":"2025-01-22T13:14:11+00:00","dateModified":"2025-01-31T13:22:04+00:00","mainEntityOfPage":{"@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/"},"wordCount":891,"commentCount":0,"publisher":{"@id":"https:\/\/oberig-it.com\/en\/#organization"},"image":{"@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/#primaryimage"},"thumbnailUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/8.jpg","articleSection":["Articles"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/","url":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/","name":"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u261d Oberig IT blog","isPartOf":{"@id":"https:\/\/oberig-it.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/#primaryimage"},"image":{"@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/#primaryimage"},"thumbnailUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/8.jpg","datePublished":"2025-01-22T13:14:11+00:00","dateModified":"2025-01-31T13:22:04+00:00","description":"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines \u26a1 Oberig IT blog for integrator partners, vendors and end customers","breadcrumb":{"@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/#primaryimage","url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/8.jpg","contentUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2025\/01\/8.jpg","width":1875,"height":625},{"@type":"BreadcrumbList","@id":"https:\/\/oberig-it.com\/en\/articles\/web-app-scanning-101-what-security-pros-need-to-know-about-ci-cd-pipelines\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/oberig-it.com\/en\/"},{"@type":"ListItem","position":2,"name":"Web App Scanning 101: What Security Pros Need to Know About CI\/CD Pipelines"}]},{"@type":"WebSite","@id":"https:\/\/oberig-it.com\/en\/#website","url":"https:\/\/oberig-it.com\/en\/","name":"Oberig IT","description":"Distribution of complex IT and information security solutions","publisher":{"@id":"https:\/\/oberig-it.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/oberig-it.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/oberig-it.com\/en\/#organization","name":"Oberig IT","url":"https:\/\/oberig-it.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/oberig-it.com\/wp-content\/uploads\/2023\/06\/logo-new.svg","contentUrl":"https:\/\/oberig-it.com\/wp-content\/uploads\/2023\/06\/logo-new.svg","caption":"Oberig IT"},"image":{"@id":"https:\/\/oberig-it.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Oberig.disti"]},{"@type":"Person","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/9d804f9c469169d256ca04bc0446793d","name":"Albekova Paula","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/oberig-it.com\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/267b2447d88f2254471421efc84e51964ec66e50c0a67b40f9346d135523b971?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/267b2447d88f2254471421efc84e51964ec66e50c0a67b40f9346d135523b971?s=96&d=mm&r=g","caption":"Albekova Paula"},"sameAs":["https:\/\/oberig-it.com\/"]}]}},"_links":{"self":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/16408","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/users\/850"}],"replies":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/comments?post=16408"}],"version-history":[{"count":4,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/16408\/revisions"}],"predecessor-version":[{"id":16412,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/posts\/16408\/revisions\/16412"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/media\/16228"}],"wp:attachment":[{"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/media?parent=16408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/categories?post=16408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oberig-it.com\/en\/wp-json\/wp\/v2\/tags?post=16408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}